[nsp-sec] ACK AS852 - RE: DNS Reflection DDoS
Chris Calvert
Chris.Calvert at telus.com
Tue Mar 1 10:15:15 EST 2011
Thanks Nick, more than a couple of mine in there. I’ll see what we can do.
ACK for AS852.
chris
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Nicholas Ianelli
> Sent: Monday, February 28, 2011 9:26 PM
> To: NSP-SEC List
> Subject: [nsp-sec] DNS Reflection DDoS
> Importance: High
>
> ----------- nsp-security Confidential --------
>
>
> * PGP Signed by an unverified key: 02/28/11 at 21:25:57
>
> We have been getting hit with a DNS reflection attack. Here are the specs:
>
> It's currently hitting 204.74.115.1, though it's hit a few different IPs
> of ours. It's an ANY query for isc.org with the EDNS option set to 4096.
>
> Looks like this:
>
> 23:55:09.105010 00:19:e2:2d:45:79 > 00:30:48:cb:86:f0, ethertype IPv4
> (0x0800), length 78: (tos 0x0, ttl 235, id 50959, offset 0, flags
> [none], proto: UDP (17), length: 64) 204.74.109.1.25345 >
> 204.74.103.145.53: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT
> UDPsize=4096 (36)
>
> We've captured over 3400 IPs involved in the attack. Full list can be
> found here. Not sure what if anything can be done.
>
> https://asn.cymru.com/nsp-sec/upload/1298951475.whois.txt
More information about the nsp-security
mailing list